First used a decade ago, ‘throwback’ Office macro malware has returned with a vengeance security firm Proofpoint has confirmed after tracking a recent surge in attacks that have gathered pace since late 2014.
At first it’s hard to believe that the old-world macro ‘virus’ could once again pose a significant threat but that’s what appears to be happening, driven largely by campaigns to distribute two families of banking malware, Dridex and Dyre.
For the longest time, attachment malware has focused almost exclusively on PDFs, archive files or executables with most of the heavy lifting done using malicious URLs embedded inside emails or on websites.
From last September onwards, malware criminals started using Word and to a lesser extent Excel documents with embedded macro code that activates once unsuspecting users have been persuaded to click on the ‘enable content’ dialogue.
Proofpoint said the phenomenon reached its peak in late April and early May when macro malware was being used to distribute no fewer than 56 different Dridex campaigns, eclipsing malicious URLSs in terms of absolute volumes.
The obvious question is why such an old technique should return years after security experts wrote it off as more or less obsolete.
“There has got to be a good reason it’s come back,” agrees Proofpoint vice president, Kevin Epstein.
The reason appears to be a combination of small advantages rather than one big over-arching reason, starting with the fact that any platform that can run Office can be attacked, Macs as well as Windows PCs. Macros can be re-purposed across platforms very easily.
A second reason is that the technique is cheap and requires very little infrastructure to pull off. Macros are as simple a malware type as it is possible to imagine and can be programmed very quickly as well as tweaked to beat what defences they encounter.
Macro malware also allows for a useful layer if feedback so that criminals can track users opening infected files, most likely as a way for the malware developer to demonstrate the success of a particular example to the distributor or customer.
“It is also essential business intelligence for threat actors who are evaluating the success of their campaigns, and for malicious macro developers who are eager to demonstrate the ROI of their campaigns and drive future business,” noted Proofpoint’s research note on the subject.
Criminals were also attracted by the staggering simplicity of a technique that requires no expensive-to-acquire zero day software flaws to work. Although such attacks can be hugely successful if the system they are attacking is patched or not running the vulnerable software, the attack will still fail. Macros can, in principle at least, infect any system as long as they aren’t picked up by security software or the targeted user.
Certainly, by Proofpoint’s estimation, a macro malware campaign would currently cost a criminal group a lot less than many rival distribution methods.
“It is no surprise that malicious macro attachment campaigns have grown so rapidly in both size and frequency, and we can expect that they will only begin to subside when this equation changes and either their cost increases or their effectiveness decreases to the point that they can no longer deliver the same ROI.”
Proofpoint offers no guesses as to the effectiveness of the latest wave of macro attacks but it should be inferred from its rise to prominence that cybercriminals were pleasantly surprised at how well these campaigns worked.
Earlier this week McAfee reported on a surge in the volume of ransom malware, a more recent and complex threat. The return of macro malware proves that complexity itself is no guide to malware popularity; professional cybercriminals always gravitate to what delivers not what impresses researchers.